500d Idle Handler Addresses
General Notes These are some interesting locations I have noticed while looking through the 500d/T1i dump, specifically in the idle handler. These appear to be button press related, I will update this page as I find more. Breaking down GUI Events I've been spending some time now breaking down IDLE Handler and figuring out what events trigger what events. Below is my list of events and their corresponding locations in the firmware dump. arg1 seems to be the current event id being processed by IDLE Handler, as it fits the gui events we know so far (from what's been seen in event spy). IF arg1 0x800 --> loc_FF1CC990 "IDLEHandler GOT_TOP_OF_CONTROL" IF arg1 0x802 --> loc_FF1CC16C "IDLEHandler INITIALIZE_CONTROLLER" IF arg1 0x807 --> loc_FF1CC16C "IDLEHandler PRESS_RIGHT_BUTTON" IF arg1 0x809 --> loc_FF1CCDB0 "IDLEHandler PRESS_LEFT_BUTTON" IF arg1 0x80B --> loc_FF1CCE24 "IDLEHandler PRESS_UP_BUTTON" IF arg1 0x80D --> loc_FF1CC3CC "IDLEHandler PRESS_DOWN_BUTTON" IF arg1 0x80F --> loc_FF1CC9B4 "IDLEHandler PRESS_MENU_BUTTON" IF arg1 0x812 --> loc_FF1CCB54 "GuiMainEventHandlerKeyEvent.c PRESS_SET_BUTTON GUI_SHOOT_LV Requ" IF arg1 0x829 --> sub_FF2DDDB8 "GuiMainEventHandlerKeyEvent.c PRESS_INFO_BUTTON" IF arg1 0x10000000 --> loc_FF1CCBB0 "IDLEHandler PRESS_DISP_BUTTON" IF arg1 0x10000003 --> loc_FF1CCC08 "IDLEHandler PRESS_ PICTURE_STYLE or PROTECTMIC _BUTTON%d" IF arg1 0x10000005 --> sub_FF2DDA54 "GuiMainEventHandlerKeyEvent.c PRESS_DIRECT_PRINT_BUTTON" IF arg1 0x10000007 --> loc_FF1CCB84 "GuiMainEventHandlerKeyEvent.c PRESS_FUNC_BUTTON" IF arg1 0x10000009 --> loc_FF1CCC08 "IDLEHandler PRESS_ PICTURE_STYLE or PROTECTMIC _BUTTON%d" IF arg1 0x1000000A --> loc_FF1CCC08 "IDLEHandler PRESS_ PICTURE_STYLE or PROTECTMIC _BUTTON%d" IF arg1 0x1000000B --> loc_FF1CC4D8 "DlgLiveView.c PRESS_FEL_BUTTON" IF arg1 0x1000000D --> loc_FF1CC4E0 "GuiMainEventHandlerKeyEvent.c PRESS_LV_MOVIE_START_BUTTON" IF arg1 0x1000000E --> loc_FF1CC4E4 "IDLEHandler OPEN_SLOT_COVER " IF arg1 0x1000000F --> loc_FF1CC4E8 "IDLEHandler CLOSE_SLOT_COVER " IF arg1 0x10000012 --> loc_FF1CC4F4 "IDLEHandler START_IDLE_MODE" IF arg1 0x10000013 --> loc_FF1CC4F8 "IDLEHandler START_MENU_MODE" IF arg1 0x10000014 --> loc_FF1CC4FC "IDLEHandler START_PLAY_MODE" IF arg1 0x10000015 --> loc_FF1CC500 "IDLEHandler START_RTCSET_MODE" IF arg1 0x10000016 --> loc_FF1CC504 "IDLEHandler START_DIRECTTRANSFER_MODE" IF arg1 0x10000017 --> loc_FF1CC508 "IDLEHandler START_PICTURESTYLE_MODE" IF arg1 0x10000018 --> loc_FF1CC50C "IDLEHandler START_MENU_WB_MODE" IF arg1 0x10000019 --> loc_FF1CDCB0 "IDLEHandler START_MENU_IMAGESIZE_MODE" IF arg1 0x1000001A --> loc_FF1CC524 "IDLEHandler START_MENU_MEDIA_FOLDER_MODE" IF arg1 0x1000001B --> loc_FF1CC528 "IDLEHandler START_MENU_DRIVE_MODE" IF arg1 0x1000001C --> loc_FF1CC52C "IDLEHandler START_MENU_AF_MODE" IF arg1 0x1000001D --> loc_FF1CC530 "IDLEHandler START_MENU_FECOMP_MODE" IF arg1 0x1000001E --> loc_FF1CC534 "IDLEHandler START_FUNC_MENU_MODE" IF arg1 0x1000001F --> loc_FF1CC538 "IDLEHandler START_MENU_BATTERY_MODE" IF arg1 0x10000020 --> loc_FF1CC53C "IDLEHandler START_MENU_BATTERY_HISTORY_MODE" IF arg1 0x10000021 --> loc_FF1CC540 "IDLEHandler START_USB_ERR" IF arg1 0x10000022 --> loc_FF1CC544 "IDLEHandler START_QR_MODE" IF arg1 0x10000023 --> loc_FF1CC548 "IDLEHandler START_QR_ERASE_MODE" IF arg1 0x10000024 --> loc_FF1CC54C "IDLEHandler START_INFO_MODE" IF arg1 0x10000025 --> loc_FF1CC550 "IDLEHandler START_INFO_LEVEL_MODE" IF arg1 0x10000026 --> loc_FF1CC554 "IDLEHandler START_WARNING_CRYPTO" IF arg1 0x10000027 --> loc_FF1CC558 "IDLEHandler START_WARNING_SW1OFF" IF arg1 0x10000028 --> loc_FF1CC55C "IDLEHandler START_WARNING_RECBUSY" IF arg1 0x10000029 --> loc_FF1CC560 "IDLEHandler START_WARNING_DISABLE_LV" IF arg1 0x1000002A --> loc_FF1CC564 "IDLEHandler START_WARNING_DISABLE_RELEASE" IF arg1 0x1000002B --> loc_FF1CC568 "IDLEHandler START_WARNING_NR_BUSY_FOR_LV" IF arg1 0x1000002C --> loc_FF1CC56C "IDLEHandler START_WARNING_CAMERA_ERR" IF arg1 0x1000002D --> loc_FF1CC570 "IDLEHandler START_WARNING_LENSLESS_MOVIE_MODE" IF arg1 0x1000002E --> loc_FF1CC574 "IDLEHandler START_WARNING_MISC_MOVIE_MODE" IF arg1 0x1000002F --> loc_FF1CC578 "***** IDLEHandler START_OLC_MODE" IF arg1 0x10000030 --> loc_FF1CC57C "IDLEHandler START_UNAVI_MODE" IF arg1 0x10000031 --> loc_FF1CC580 "IDLEHandler START_UNAVI_ISO_MODE" IF arg1 0x10000032 --> loc_FF1CE22C "IDLEHandler START_UNAVI_COMP_AEB_MODE" IF arg1 0x10000033 --> loc_FF1CC5B8 "IDLEHandler START_UNAVI_EFCOMP_MODE" IF arg1 0x10000034 --> loc_FF1CC5BC "IDLEHandler START_UNAVI_AFFRAME_MODE" IF arg1 0x10000035 --> loc_FF1CC5C0 "IDLEHandler START_UNAVI_PS_MODE" IF arg1 0x10000036 --> loc_FF1CC5C4 "IDLEHandler START_UNAVI_WB_MODE" IF arg1 0x10000037 --> loc_FF1CC5C8 "IDLEHandler START_UNAVI_METERING_MODE" IF arg1 0x10000038 --> loc_FF1CC5CC "IDLEHandler START_UNAVI_QUALITY_MODE" IF arg1 0x10000039 --> loc_FF1CC5D0 "IDLEHandler START_UNAVI_AF_MODE" IF arg1 0x1000003A --> loc_FF1CC5D4 "IDLEHandler START_UNAVI_DRIVE_MODE" IF arg1 0x1000003C --> loc_FF1CC5DC "***** IDLEHandler START_LV_MODE" IF arg1 0x1000003D --> loc_FF1CC5E0 "IDLEHandler START_LV_PS_SETTING_MODE" IF arg1 0x1000003E --> loc_FF1CC5E4 "IDLEHandler START_SERVICE_MENU" IF arg1 0x1000003F --> loc_FF1CC5E8 "IDLEHandler POST_QR_IMAGE (0x%x,%d)" IF arg1 0x10000040 --> loc_FF1CEA30 "IDLEHandler.c POST_MADE_FILE(0x%x)" IF arg1 0x10000041 --> loc_FF1CCF88 "IDLEHandler PRESS_SW1_BUTTON" IF arg1 0x10000042 --> loc_FF1CC5EC "IDLEHandler UNPRESS_SW1_BUTTON" IF arg1 0x10000043 --> loc_FF1CC5EC "IDLEHandler PRESS_SW2_BUTTON" IF arg1 0x10000044 --> loc_FF1CC7BC "IDLEHandler UNPRESS_SW2_BUTTON" IF arg1 0x10000050 --> loc_FF1CC7BC "IDLEHandler LOCAL_ERASEALL_PROGRESS(%d)" IF arg1 0x10000054 --> loc_FF1CC828 "IDLEHandler: LOCAL_CANCEL_COPYFILE" IF arg1 0x10000055 --> loc_FF1CEC24 "IDLEHandler LOCAL_FINISH_MRK_WRITE" IF arg1 0x10000058 --> loc_FF1CCFF4 "IDLEHandler LOCAL_DATETIME_NOTHING" IF arg1 0x10000059 --> loc_FF1CD024 "IDLEHandler LOCAL_REFRESH_BATTERIESHISTORY" IF arg1 0x1000005C --> loc_FF1CEF70 "IDLEHandler LOCAL_FILEHANDLE_CLEAR " IF arg1 0x1000005D --> loc_FF1CEF8C "IDLEHandler LOCAL_FINISH_PROTECT(%d)" IF arg1 0x1000006F --> loc_FF1CECB8 "IDLEHandler LOCAL_TURNBACK_DCIM_FOLDER" IF arg1 0x10000079 --> loc_FF1CEE4C "IDLEHandler LOCAL_AEMODE_CHECK " IF arg1 0x10000081 --> loc_FF1CEFBC "IDLEHandler LOCAL_MOVIE_RECORD_STOP" IF arg1 0x10000088 --> loc_FF1CC860 "IDLEHandler OTHER_NOTIFY_JOB_STATE" IF arg1 0x10000089 --> loc_FF1CEA8C "IDLEHandler OTHER_DO_COPY_JOB_STATE" IF arg1 0x1000008B --> loc_FF1CEBEC "IDLEHandler OTHER_DO_COPY_DEVICE_STATE" IF arg1 0x1000008C --> loc_FF1CC8DC "IDLEHandler OTHER_LARGE_MEMORY_STATE" IF arg1 0x10000090 --> loc_FF1CFAD0 ??? IF arg1 0x10000091 --> loc_FF1CE564 "IDLEHandler START_SHOOT_NORMAL" IF arg1 0x10000092 --> loc_FF1CE704 "IDLEHandler START_SHOOT_DDD" IF arg1 0x10000093 --> loc_FF1CE834 "IDLEHandler START_SHOOT_MWB" IF arg1 0x10000094 --> loc_FF1CE858 "IDLEHandler START_SHOOT_LV" IF arg1 0x10000095 --> loc_FF1CE900 "IDLEHandler START_SHOOT_MOVIE" IF arg1 0x100000A0 --> loc_FF1CF5C8 "IDLEHandler START_OLC_BULB" IF arg1 0x100000A1 --> loc_FF1CF7E0 "IDLEHandler OTHER_DISCONNECT_LAN_CABLE" IF arg1 0x100000A6 --> loc_FF1CF62C "IDLEHandler OTHER_ERROR_LAN_STATUS" IF arg1 0x100000A7 --> loc_FF1CF820 "IDLEHandler OTHER_LAN_NETWORK_STATUS%ld" IF arg1 0x100000A9 --> loc_FF1CF848 "IDLEHandler OTHER_LAN_DEVICE_DOWN" IF arg1 0x100000AB --> loc_FF1CF878 "IDLEHandler OTHER_REMOTE_OLC_OFF(%d)" IF arg1 0x100000AC --> loc_FF1CF19C "IDLEHandler OTHER_SUSPEND bLockOff(%d)" IF arg1 0x100000AD --> loc_FF1CF228 "IDLEHandler UI_OK" IF arg1 0x100000AE --> loc_FF1CF4DC "IDLEHandler START_AS_CHECK%d" IF arg1 0x100000AF --> loc_FF1CEE6C "IDLEHandler GUI_LOCK_OFF " IF arg1 0x100000B0 --> loc_FF1CEEAC "IDLEHandler GUI_LOCK_ON " IF arg1 0x100000B1 --> loc_FF1CF9AC "IDLEHandler SERVICE_MENU" Structures in Memory I was looking through Idle Handler in IDA when I noticed a lot of calls / references to one location, 0x3A64, with different offsets being referenced. I decided to do a bmp_hexdump() and see what was there. Dumping 20 lines of 32-bytes of memory starting from 0x3A64: bmp_hexdump(FONT_SMALL, 0, 50, 0x3a64, 32*20); I noticed that 0x3AD8 was updating with a 0 or 1 depending if I had the shutter pressed half way or not, so, it looks like this location (among many others) holds information about the shutter button being pressed halfway or not. 0x3A64 (struct?) 0x3a64 ... ... 0x3ad8 - 0 or 1 for half shutter press also '''for zoom out press (in live view / shoot mode / movie mode as well) ... ... '''0x3bac - counts by 1 for each left / right button press only - '''doesn't increment if left or right are held down, only on each successive press/unpress. ... ... '''0x3bcc - 0x41 idle -- 0x39 press left / 0x3b up / 0x37 right / 0x3d down ... ... 0x3d70 - some kind of counter - counts faster than a second, only in live view / movie mode. ... ... Todo: Finish breaking down idle handler. Figure out how IDLE Handler is called, specifically where arg0-arg3 come from